man.isc-hmac-fixup.html revision 46472a450e043434d78fa18edc73bca8c47f3981
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - Copyright (C) 2000-2003 Internet Software Consortium.
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - Permission to use, copy, modify, and/or distribute this software for any
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - purpose with or without fee is hereby granted, provided that the above
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - copyright notice and this permission notice appear in all copies.
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2eb84fc82d3ffa9116bc471fda3742bd9e5a24bbChristian Maeder - PERFORMANCE OF THIS SOFTWARE.
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<link rel="prev" href="man.genrandom.html" title="genrandom">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<table width="100%" summary="Navigation header">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<th width="60%" align="center">Manual pages</th>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<td width="20%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a name="id-1.14.30.7"></a><h2>DESCRIPTION</h2>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder Versions of BIND 9 up to and including BIND 9.6 had a bug causing
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder HMAC-SHA* TSIG keys which were longer than the digest length of the
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder longer than 256 bits, etc) to be used incorrectly, generating a
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder message authentication code that was incompatible with other DNS
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder implementations.
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder This bug has been fixed in BIND 9.7. However, the fix may
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder cause incompatibility between older and newer versions of
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder BIND, when using long keys. <span class="command"><strong>isc-hmac-fixup</strong></span>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder modifies those keys to restore compatibility.
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder To modify a key, run <span class="command"><strong>isc-hmac-fixup</strong></span> and
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder specify the key's algorithm and secret on the command line. If the
00ea7c5c930c8099128695c3d094fe8e08f9965cMartin Kühl secret is longer than the digest length of the algorithm (64 bytes
00ea7c5c930c8099128695c3d094fe8e08f9965cMartin Kühl for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
00ea7c5c930c8099128695c3d094fe8e08f9965cMartin Kühl new secret will be generated consisting of a hash digest of the old
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder secret. (If the secret did not require conversion, then it will be
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder printed without modification.)
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a name="id-1.14.30.8"></a><h2>SECURITY CONSIDERATIONS</h2>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder Secrets that have been converted by <span class="command"><strong>isc-hmac-fixup</strong></span>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder are shortened, but as this is how the HMAC protocol works in
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder operation anyway, it does not affect security. RFC 2104 notes,
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder "Keys longer than [the digest length] are acceptable but the
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder extra length would not significantly increase the function
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a name="id-1.14.30.9"></a><h2>SEE ALSO</h2>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<table width="100%" summary="Navigation footer">
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<a accesskey="p" href="man.genrandom.html">Prev</a>�</td>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<td width="40%" align="right">�<a accesskey="n" href="man.nsec3hash.html">Next</a>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<span class="application">genrandom</span>�</td>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<td width="40%" align="right" valign="top">�<span class="application">nsec3hash</span>
9929f81562adecc8aafaefb14a0159afcf4a3351Christian Maeder<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0a1</p>